Purpose
To ensure the confidentiality and integrity of University data, this best practice outlines the required procedures for verifying identity before discussing or disclosing sensitive information over the phone and in person.
Scope
This best practice applies to all University employees, contractors, and affiliates who handle sensitive or confidential information.
Best Practice Statement
University staff must not disclose sensitive or confidential information over the phone or in person unless the identity of the caller or visitor has been properly verified using approved methods.
Required identity verification
Before discussing or accepting changes to sensitive information over the phone, staff must verify the caller’s identity by requesting the following:
- Date of birth
- Last four digits of Social Security Number
Only after successful verification may the staff proceed with the call.
Before discussing or accepting changes to sensitive information in person, staff must verify the visitor’s identity by requesting the following:
- Valid government photo identification
- Date of birth
- Last four digits of Social Security Number (if photo identification is not available)
Banking information handling
- Staff may ask the requestor to provide their banking information for verification or update purposes
- Do not disclose the banking information currently on file under any circumstances
- If the requestor provides new or updated banking information, it may be recorded following standard procedures
- Note: Capturing banking information over the phone for an employee should be a rare exception, as they should be able to accomplish directly in Workday
Do not share sensitive information If:
- The requestor’s identity cannot be confidently verified
- The request seems suspicious or inconsistent with normal procedures
- The requestor refuses to provide identifying information
Examples of Sensitive Information
- Student ID numbers designated as FERPA private information by the student
- Social Security Numbers
- Grades, academic, and disciplinary records
- Financial or payroll data
- Health, medical, or disability information
- Credit and debit card numbers
See the Confidential Information Policy for more details and examples of information that is protected by law may only be disclosed to authorized persons.
Important reminder
When in doubt, do not disclose. Politely inform the caller or visitor that you will follow up through official channels or refer them to the appropriate office.